Computer security breaches are becoming more and more severe nowadays. Internet crimes are pervasive and have spread into all walks of life.

Although there are security experts who help us by providing valuable advice, and we can buy products that can prevent security breaches, hacking techniques have also improved a lot.

As a result, the black and white camps are at war. In truth, there is no perfect cure for computer security protection.

The most prudent approach is to prepare for the worst. Before we can do so, we have some tasks to do.

These tasks are collectively known as risk management. In computer security, risks are the threats that we have to remove as soon as we can. Some risks cannot be eliminated, and so we have to manage them accordingly.

The first task in risk management is risk identification. We need to find out all possible threats facing us. These can be caused by humans (either through carelessness or intentional acts) or nature (eg acts of god). For example, we leave our phone on the bus, or receive malware after playing an online game.

After all the threats have been listed, we move on to risk analysis, where we prioritise the threats in sequence, according to possible occurrence.

For example, if you are absent-minded when you play online games, there is a bigger chance that you will leave the phone on the bus than receive malware. From this sequenced priority list, we can spread our efforts to counteract with threats appropriately. This is the third task: risk control.

There are five risk control strategies: defend, transfer, mitigate, accept, and terminate. Each risk may have a different risk control strategy to manage.

The choice of risk control strategy depends on the nature and the possibility of that risk. So if the risk of receiving a junk message is not that high, and that impact not too severe, we can “accept”.

If the risk of losing a phone is highly possible and its impact is severe because of privacy issues, we can “mitigate”.

In the mitigate strategy, we should have a contingency plan. Perhaps this would mean using the remote deletion function to erase content on the phone.